hads/renovate-config
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

chore(deps): update ghcr.io/renovatebot/renovate docker tag to v42 #878

Merged
hads merged 1 commits from renovate/ghcr.io-renovatebot-renovate-42.x into main 2025-11-07 01:12:35 +13:00
Conversation 0 Commits 1 Files Changed 1 +1 -1
hads commented 2025-11-07 01:12:30 +13:00
Owner
Copy Link

This PR contains the following updates:

Package Type Update Change
ghcr.io/renovatebot/renovate (source) container major 41.173.1 -> 42.0.0

Release Notes

renovatebot/renovate (ghcr.io/renovatebot/renovate)

v42.0.0

Compare Source

Breaking changes for 42

Using minimumReleaseAge will now require a release timestamp #​38843

When specifying minimumReleaseAge, Renovate will look for a release timestamp to determine the age of the release, and whether it matched the minimumReleaseAge configuration.

Before Renovate 42, if a release timestamp was not present, Renovate would treat the dependency update as if the release timestamp was present and the dependency had passed that lifetime.

This means that users with artifact proxies, or in cases that the release timestamp wasn't consistently present could lead to dependencies "slipping through", and being updated before Renovate's policy enforced it to.

As of Renovate 42, the configuration minimumReleaseAgeBehaviour (added in 41.150.0) requires the release timestamp to be present.

If the release timestamp isn't present, Renovate will mark it as "awaiting schedule", and will output a debug log message to explain why.

You can revert to the existing behaviour by setting minimumReleaseAgeBehaviour=timestamp-optional.

Note that not all datasources support this functionality, nor do custom registries (such as Artifactory, etc).
For more details on how to verify support for your repository, check out the Minimum Release Age documentation

minimumReleaseAge: 3 days will now be set by default for npm in config:best-practices #​37967

For users of config:best-practices, the Minimum Release Age functionality will now apply by default for the npm ecosystem.

This will introduce a delay of 3 days between package publishing and Renovate suggesting an update for the release, so:

  • there is time for malware researchers and scanners to (possibly) detect any malicious behaviour in new releases, before your CI infrastructure or developers receive a malicious version upgrade
  • you are not at risk of the package being unpublished in the 3 day window that the npm registry allows

This will be enforced by default for packages using the npm datasource via the security:minimumReleaseAgeNpm preset.

[!NOTE]
This may require additional configuration if using a custom registry, or you have packages that you wish to not have minimum release age checks.

For more details on this functionality, check out the Minimum Release Age documentation.

Renovate now defaults to using Node.JS 24 #​38939

With Node 24 now in Long Term Support (LTS) release status, we have moved to target Node.JS 24 (^24.11.0) as our default engine for Node, and retain support for Node 22.

The pre-built Docker containers have been updated to use Node 24.

If you self-host without using our Docker image, you should be able to continue running Renovate with Node 22, for instance if you build your own image, or run the renovate npm package.

Redis clusters now authenticate to all nodes in the cluster with the provided credentials

When running Renovate against a Redis cluster with authentication, it was possible that a NOAUTH Authentication required error may appear:

DEBUG: Redis cache init
DEBUG: Redis cache connected
...
 WARN: Error while setting Redis cache value (repository=jcl-test/example)
       "err": {"message": "NOAUTH Authentication required."}

Renovate will now use the same authentication for all nodes in a cluster.

Support Yarn Catalogs #​38215

We now support the official Yarn Catalog functionality.

As part of this, we have removed support for the yarn-plugin-catalogs community plugin.

If you are using the yarn-plugin-catalogs community plugin, you will need to migrate your catalogs to the official Yarn Catalog functionality before Renovate 42 will update your dependencies.

Remove versioning modules needing to implement rangeStrategy=pin #​36261

This is an internal refactor to make it easier for creating and maintaining versioning modules.

This should not be a non-breaking change, as the versioning modules will have defaults available.

However, we're releasing it as part of this major release, and highlighting it, in case it does lead to breaking changes.

PGP encryption is now performed using Bouncy Castle #​39032

GPG encryption is no longer performed using kbpgp Keybase's PGP for JavaScript), and has been replaced with a Bouncy Castle version.

Some users have found license compliance issues with the kbpgp package, so this will now resolve them.

Legacy RSA encryption has been removed #​39111

Deprecated since 37.315.0 (2024-04-21), the legacy RSA encryption is now no longer available.

Change to the default User Agent #​37535

The user-agent header for Renovate's outgoing HTTP calls has changed the default to Renovate/${version}.

Default tool version updates #​39100

For users of the upstream Renovate container images, the following tools have been updated to new major versions:

Tool Version
Erlang 28
Gradle 9
Java 25
Node 24
Python 3.14.0

Commentary for 42

Focus on minimumReleaseAge

You'll notice that there are a number of big features here - and in recent minor releases - that focus on Minimum Release Age.

With recent supply chain attacks, the Renovate team have been hard at work improving the support we've had in Renovate (since 2019!) for this functionality, and making it as predictable as possible, so we can then enable it by default for users of config:best-practices.

We're starting with the enabling of the npm datasource, but will look to extend this functionality in future major releases, based on community feedback, and ecosystem support.

Deprecations

As part of this release, we want to make you aware of deprecated features which will be removed as of Renovate 43:

42.0.0 (2025-11-06)

⚠ BREAKING CHANGES
  • deps: Update ghcr.io/renovatebot/base-image Docker tag to v12 (main) (#​39100)
  • deps: Needs NodeJS v24.11.0 instead of v24.10.0. NodeJS v22 is still supported.
  • npm: communit plugin yarn-catalogs-plugin is not supported anymore
  • drop legacy rsa encryption (#​39111)
  • remove rangeStrategy=pin from versioning modules (#​36261)
  • minimumReleaseAge: require a release timestamp by default (#​38843)
  • best-practices: provide default minimumReleaseAge for npm (#​37967)
  • redis: add default auth to redis clusters (#​37337)
  • remove the "Bot" from user-agent header (#​37535)
Features
Bug Fixes
Code Refactoring
Build System

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [ghcr.io/renovatebot/renovate](https://renovatebot.com) ([source](https://github.com/renovatebot/renovate)) | container | major | `41.173.1` -> `42.0.0` | --- ### Release Notes <details> <summary>renovatebot/renovate (ghcr.io/renovatebot/renovate)</summary> ### [`v42.0.0`](https://github.com/renovatebot/renovate/releases/tag/42.0.0) [Compare Source](https://github.com/renovatebot/renovate/compare/41.173.1...42.0.0) #### Breaking changes for 42 ##### Using `minimumReleaseAge` will now require a release timestamp [#&#8203;38843](https://github.com/renovatebot/renovate/issues/38843) When specifying `minimumReleaseAge`, Renovate will look for a release timestamp to determine the age of the release, and whether it matched the `minimumReleaseAge` configuration. Before Renovate 42, if a release timestamp was not present, Renovate would treat the dependency update as if the release timestamp was present and the dependency had passed that lifetime. This means that users with artifact proxies, or in cases that the release timestamp wasn't consistently present could lead to dependencies "slipping through", and being updated before Renovate's policy enforced it to. As of Renovate 42, the configuration [`minimumReleaseAgeBehaviour`](https://docs.renovatebot.com/configuration-options/#minimumreleaseagebehaviour) (added in 41.150.0) requires the release timestamp to be present. If the release timestamp isn't present, Renovate will mark it as "awaiting schedule", and will output a debug log message to explain why. You can revert to the existing behaviour by setting `minimumReleaseAgeBehaviour=timestamp-optional`. Note that not all datasources support this functionality, nor do custom registries (such as Artifactory, etc). For more details on how to verify support for your repository, check out the [Minimum Release Age documentation](https://docs.renovatebot.com/minimum-release-age/) ##### `minimumReleaseAge: 3 days` will now be set by default for npm in `config:best-practices` [#&#8203;37967](https://github.com/renovatebot/renovate/issues/37967) For users of [`config:best-practices`](https://docs.renovatebot.com/presets-config/#configbest-practices), the [Minimum Release Age](https://docs.renovatebot.com/minimum-release-age/) functionality will now apply by default for the npm ecosystem. This will introduce a delay of **3 days** between package publishing and Renovate suggesting an update for the release, so: - there is time for malware researchers and scanners to (possibly) detect any malicious behaviour in new releases, before your CI infrastructure or developers receive a malicious version upgrade - you are not at risk of the package being unpublished in the 3 day window that the npm registry allows This will be enforced by default for packages using the [`npm` datasource](https://docs.renovatebot.com/modules/datasource/npm/) via the [`security:minimumReleaseAgeNpm`](https://docs.renovatebot.com/presets-security/#securityminimumreleaseagenpm) preset. > \[!NOTE] > This may require additional configuration if using a custom registry, or you have packages that you wish to not have minimum release age checks. For more details on this functionality, check out the [Minimum Release Age documentation](https://docs.renovatebot.com/minimum-release-age/). ##### Renovate now defaults to using Node.JS 24 [#&#8203;38939](https://github.com/renovatebot/renovate/issues/38939) With Node 24 now in Long Term Support (LTS) release status, we have moved to target Node.JS 24 (`^24.11.0`) as our default engine for Node, and retain support for Node 22. The pre-built Docker containers have been updated to use Node 24. If you self-host *without* using our Docker image, you should be able to continue running Renovate with Node 22, for instance if you build your own image, or run the `renovate` npm package. ##### Redis clusters now authenticate to all nodes in the cluster with the provided credentials When running Renovate against a Redis cluster with authentication, it was possible that a `NOAUTH Authentication required` error may appear: ``` DEBUG: Redis cache init DEBUG: Redis cache connected ... WARN: Error while setting Redis cache value (repository=jcl-test/example) "err": {"message": "NOAUTH Authentication required."} ``` Renovate will now use the same authentication for all nodes in a cluster. ##### Support Yarn Catalogs [#&#8203;38215](https://github.com/renovatebot/renovate/issues/38215) We now support the official [Yarn Catalog](https://yarnpkg.com/features/catalogs) functionality. As part of this, we have removed support for the [yarn-plugin-catalogs](https://github.com/toss/yarn-plugin-catalogs) community plugin. If you are using the [yarn-plugin-catalogs](https://github.com/toss/yarn-plugin-catalogs) community plugin, you will need to migrate your catalogs to the official Yarn Catalog functionality before Renovate 42 will update your dependencies. ##### Remove versioning modules needing to implement `rangeStrategy=pin` [#&#8203;36261](https://github.com/renovatebot/renovate/issues/36261) This is an internal refactor to make it easier for creating and maintaining versioning modules. This *should* not be a non-breaking change, as the versioning modules will have defaults available. However, we're releasing it as part of this major release, and highlighting it, in case it does lead to breaking changes. ##### PGP encryption is now performed using Bouncy Castle [#&#8203;39032](https://github.com/renovatebot/renovate/issues/39032) GPG encryption is no longer performed using [`kbpgp` Keybase's PGP for JavaScript)](https://www.npmjs.com/package/@&#8203;renovatebot/kbpgp), and has been replaced with a Bouncy Castle version. Some users have found license compliance issues with the `kbpgp` package, so this will now resolve them. ##### Legacy RSA encryption has been removed [#&#8203;39111](https://github.com/renovatebot/renovate/issues/39111) [Deprecated](https://github.com/renovatebot/renovate/pull/28557) since 37.315.0 (2024-04-21), the legacy RSA encryption is now no longer available. ##### Change to the default User Agent [#&#8203;37535](https://github.com/renovatebot/renovate/issues/37535) The `user-agent` header for Renovate's outgoing HTTP calls has changed the default to `Renovate/${version}`. ##### Default tool version updates [#&#8203;39100](https://github.com/renovatebot/renovate/issues/39100) For users of the upstream Renovate container images, the following tools have been updated to new major versions: | Tool | Version | | ------ | ------- | | Erlang | 28 | | Gradle | 9 | | Java | 25 | | Node | 24 | | Python | 3.14.0 | #### Commentary for 42 ##### Focus on `minimumReleaseAge` You'll notice that there are a number of big features here - and in recent minor releases - that focus on [Minimum Release Age](https://docs.renovatebot.com/key-concepts/minimum-release-age/). With recent supply chain attacks, the Renovate team have been hard at work improving the support we've had in Renovate (since 2019!) for this functionality, and making it as predictable as possible, so we can then enable it by default for users of `config:best-practices`. We're starting with the enabling of the `npm` datasource, but will look to extend this functionality in future major releases, based on community feedback, and ecosystem support. #### Deprecations As part of this release, we want to make you aware of deprecated features which will be removed as of Renovate 43: - [the `renovate-schema.json` will only support repository configuration](https://github.com/renovatebot/renovate/issues/38728), and a separate `renovate-admin-schema.json` will be needed for global/self-hosted configuration #### [42.0.0](https://github.com/renovatebot/renovate/compare/41.173.1...42.0.0) (2025-11-06) ##### ⚠ BREAKING CHANGES - **deps:** Update ghcr.io/renovatebot/base-image Docker tag to v12 (main) ([#&#8203;39100](https://github.com/renovatebot/renovate/issues/39100)) - **deps:** Needs NodeJS v24.11.0 instead of v24.10.0. NodeJS v22 is still supported. - **npm:** communit plugin yarn-catalogs-plugin is not supported anymore - drop legacy rsa encryption ([#&#8203;39111](https://github.com/renovatebot/renovate/issues/39111)) - remove rangeStrategy=pin from versioning modules ([#&#8203;36261](https://github.com/renovatebot/renovate/issues/36261)) - **minimumReleaseAge:** require a release timestamp by default ([#&#8203;38843](https://github.com/renovatebot/renovate/issues/38843)) - **best-practices:** provide default `minimumReleaseAge` for npm ([#&#8203;37967](https://github.com/renovatebot/renovate/issues/37967)) - **redis:** add default auth to redis clusters ([#&#8203;37337](https://github.com/renovatebot/renovate/issues/37337)) - remove the "Bot" from user-agent header ([#&#8203;37535](https://github.com/renovatebot/renovate/issues/37535)) ##### Features - **best-practices:** provide default `minimumReleaseAge` for npm ([#&#8203;37967](https://github.com/renovatebot/renovate/issues/37967)) ([e371de1](https://github.com/renovatebot/renovate/commit/e371de1b9501807eeadcb3e190ccfe982b2df977)), closes [#&#8203;37952](https://github.com/renovatebot/renovate/issues/37952) - **deps:** Update ghcr.io/renovatebot/base-image Docker tag to v12 (main) ([#&#8203;39100](https://github.com/renovatebot/renovate/issues/39100)) ([f9f810f](https://github.com/renovatebot/renovate/commit/f9f810f486621e6f43d2f5a59fe1877691366490)) - **minimumReleaseAge:** require a release timestamp by default ([#&#8203;38843](https://github.com/renovatebot/renovate/issues/38843)) ([1cf9b1c](https://github.com/renovatebot/renovate/commit/1cf9b1c6a4713a315c367153d2fe31dc5d4f3347)), closes [#&#8203;37952](https://github.com/renovatebot/renovate/issues/37952) - **npm:** support yarn catalogs ([#&#8203;38215](https://github.com/renovatebot/renovate/issues/38215)) ([d7a741b](https://github.com/renovatebot/renovate/commit/d7a741b831bc569f7564fe859b6ff0e16e7fca83)) - replace `kbpgp` with `bcpgp` ([#&#8203;39032](https://github.com/renovatebot/renovate/issues/39032)) ([6de0097](https://github.com/renovatebot/renovate/commit/6de0097dc87165b661f52821f0b3ef72cf52ec6e)) ##### Bug Fixes - drop legacy rsa encryption ([#&#8203;39111](https://github.com/renovatebot/renovate/issues/39111)) ([f1eefcf](https://github.com/renovatebot/renovate/commit/f1eefcf3938e34f2eaba6ba52fe67cb01cdcb416)) - **redis:** add default auth to redis clusters ([#&#8203;37337](https://github.com/renovatebot/renovate/issues/37337)) ([df9844d](https://github.com/renovatebot/renovate/commit/df9844d5ad019ca23930ea9ef8b9bf882848367f)) - remove the "Bot" from user-agent header ([#&#8203;37535](https://github.com/renovatebot/renovate/issues/37535)) ([4e4a0f9](https://github.com/renovatebot/renovate/commit/4e4a0f99b0da3352e417dbc52f4409557248c2ce)) ##### Code Refactoring - remove rangeStrategy=pin from versioning modules ([#&#8203;36261](https://github.com/renovatebot/renovate/issues/36261)) ([0d5d7a8](https://github.com/renovatebot/renovate/commit/0d5d7a866987dd694a13bea9b4ff176cab1a6355)) ##### Build System - **deps:** update dependency node to v24 (main) ([#&#8203;38939](https://github.com/renovatebot/renovate/issues/38939)) ([2e3da4d](https://github.com/renovatebot/renovate/commit/2e3da4d48cce8febf336e20811789d6a889deda6)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNzMuMCIsInVwZGF0ZWRJblZlciI6IjQxLjE3My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
hads added 1 commit 2025-11-07 01:12:31 +13:00
chore(deps): update ghcr.io/renovatebot/renovate docker tag to v42 481ead4fbc
hads merged commit 1cdc3470e1 into main 2025-11-07 01:12:35 +13:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
hads
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: hads/renovate-config#878
No description provided.
Delete Branch "renovate/ghcr.io-renovatebot-renovate-42.x"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?